Security researchers have spotted a massive malware campaign that sent out 23 million messages laden with Locky ransomware in the span of 24 hours.

Security experts at AppRiver detected the campaign on 28 August at around 07:00 CDT. There wasn’t much to the attack emails spewed out by the campaign. Just some seemingly innocuous subject lines like “pictures” and “documents” along with a request to “download it here.”

One of the Locky attack emails spotted by AppRiver.

Needless to say, nothing good came to recipients who decided to open the attachment. AppRiver’s Troy Gill clarifies that point:

“Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.”

After completing its encryption routine, Locky displayed a ransom note with a link to a .onion portal. Victims who visited that site saw the ransomware’s prompt to pay 0.5 Bitcoins (approximately US $2,413.50) in exchange for “special software” known as the “Locky Decryptor.”

Locky malware campaign’s .onion portal. (Source: AppRiver)

This campaign, which isn’t the only sudden surge in Locky-laden emails to surface in recent memory, clocked in more than 5.6 million emails within the span of three hours. That total jumped to more than 23 million attack messages over the next day.

Locky has a bit of a history of going dark and coming back out of nowhere. (Its reliance on spam-based botnets like Necurs is partially to blame.)

David Bisson Follow @DMBissonDavid Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

I just showed it to VirusTotal; 36 out of 58 products failed to flag it. Of those, nine were unable to handle the 7z format it was compressed with. Although I feel sure that it wouldn't have been spammed out unless the author of the malware was confident that his targets could handle 7z.

Some of the failing products were widely used – AVG, Panda, Sophos and Symantec.

If you ever wonder how good is the antivirus that you're using, show it some of the malware that arrives at your in-box every day.